CVE-2016-20012

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenSSH versions through 8.7

Description The issue allows remote attackers to test whether a certain combination of username and public key is known to an SSH server. This occurs because a challenge is sent only when that combination could be valid for a login session. The vendor does not recognize user enumeration as a vulnerability for this product.

Recommendations For OpenSSH versions through 8.7, consider restricting access to the SSH server to minimize the risk of exploitation, as the vendor does not recognize this as a vulnerability and may not provide a patch. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-203

Related Identifiers

ALT-PU-2023-4460

ALT-PU-2024-7269

ALT-PU-2024-9513

BDU:2022-01880

CVE-2016-20012

ECHO-195A-A2DE-FF9A

Affected Products

Alt Linux

Debian

Openssh

Red Os

CVE-2016-20012

Weakness Enumeration

Related Identifiers

Affected Products

References · 22